Training, Open Source computer languages
PerlPHPPythonMySQLApache / TomcatTclRubyJavaC and C++LinuxCSS 
Search for:
Home Accessibility Courses Diary The Mouth Forum Resources Site Map About Us Contact
Valdiating Forms Using preg_match

Posted by Caitlinn (Caitlinn), 24 July 2004
Hiya!

I hoping to gain a few tips from the more experienced programmers.  I'm trying to do some form validation in php using preg_match.  This is what I would like to allow:

Any letters from a-z, regardless of case
can include the characters . - ' ,
can include spaces
all of the above should be allowed to be in any order throughout the string.

I do not want it to include numbers, semi-colons, colons, hash (pound sign), back or forward slashes, brackets (either curly or square), dollar signs, greater than or less than signs, or other characters such as that.

I have written:

Code:
if (!preg_match("%[a-zA-Z\.\,\-\'\ ]%",$field_name))
 {
   invalid output would go here
   exit;
  }


It must be wrong because I am allowed to enter things like ...
O'Sm#ith
Smith 1
Smith1

I haven't the foggiest I idea how to correct my problem.   I've had a look at some regexp sites to try to debug my syntax, but that this point I'm lost.  Can anyone give me some hints?

Thanks in advance

Posted by John_Moylan (jfp), 24 July 2004
You'll have to excuse the fact that I've done this in Perl, but this is more of a regex query then PHP.

Code:
if ($input =~ m/^[a-zA-Z\.\-\',\s]+$/) {

   print "\$input passed [$input]";
}
else {
   print "\$input failed [$input]";
}

The above works for me.

At the start of the regex the ^ means "starts with"
then I allow a-zA-Z then literal . - ' and then any space using \s

This is all in a character class [...] which tells the regex engine "any character listed within [...]"
Then I have a + sign which means 1 or more of the what preceded it, in this case the whole character class
Finally the $ means "ends with"

Try the regex on its own,
Code:
^[a-zA-Z\.\-\',\s]+$

and let me know if you have a problem.

Unless Graham gets here first and spots errors in my regex

Cheers
jfp



Posted by admin (Graham Ellis), 24 July 2004
I spot no error in your regular expression, jfp ... but PHP's preg_match function has a strange surrounding syntax that isn't intuitive.

Try:

if (! preg_match('/^[-a-z.,\'\s]*$/i',$fieldname)) {
    die "Oops - $fieldname includes a bad character";
     }

Notes:  

a) This will ACCEPT a completely empty field (Caitlinn - you didn't specify one way or the other what you wanted it to do in that circumstance. Replace the * by a + to insist on their being at least one character.

b) Putting the "-" at the start of the regular expression means that the "-" is taken as a character to be matched - unless you put it at the start or end of the sequence in square brackets, a range is assumed

c) The letter "i" after the second slash means "ignore  case".  Less typing than adding in an A-Z ... unless you come to explain in to someone else like I'm doing here.

As jfp explained, the big issue with your original regular expression, Caitlinn, was the lack of ^ and $ - so you were looking for a valid name WITHIN the string rather than to check if the whoe string was a name.    The string  "Smith1" contained the name Smith, so it was acceptable ...

And .... welcome to opentalk

Graham

Posted by Caitlinn (Caitlinn), 24 July 2004
jfp and Graham,


Thanks a bunch for your answers!  I've been pulling my hair out with this expression for the last day or so.

Quote:
Caitlinn - you didn't specify one way or the other what you wanted it to do in that circumstance. Replace the * by a + to insist on their being at least one character


Hey, that's very handy, Graham!  I'll keep this in mind for future validation.  I like that /i switch too!

I've given the changes a try and everything seems to be working as expected, except the apostrophes -- it's kicking them out as an error.

I have magic quotes turned on in my php.ini, so the field value appears as Caitlinn\'s rather than Caitlinn's.  Is this what is causing the problem?  If so, is there away to work around that without turn off magic quotes?  I'd like the values to go into the database escaped.

BTW, the value of $fieldname is coming from a form using the post method.  Then inside the script, I define the value as $fieldname=$_POST['fieldname']; for use in the preg_match statement.

You two have been a big help.  As you can tell, PHP and I are still rather new friends, and sometimes all the Googling in the world doesn't supply the exact answer you need.

Thanks again ... Cait (who's contemplating the next question -- SQL injection hack prevention )

Posted by admin (Graham Ellis), 25 July 2004
on 07/24/04 at 23:24:54, Caitlinn wrote:
I have magic quotes turned on in my php.ini, so the field value appears as Caitlinn\'s rather than Caitlinn's.  Is this what is causing the problem?  If so, is there away to work around that without turn off magic quotes?  I'd like the values to go into the database escaped.


Probably the easiest way to do it is to "stripslahes" from the variable within the regular expression check.  This will cause the test to be made on a copy of what was truely entered by the user, without the need to write a particularly clever regular expression that allows \ but only before '.

Code:
if (! preg_match('/^[-a-z.,\'\s]*$/i',stripslashes($fieldname))) {
     die "Oops - $fieldname includes a bad character";
 }


Posted by Caitlinn (Caitlinn), 25 July 2004
Stripslashes!  Geez, how simple.  

What do they say?  Can't see the forest for the trees!

Thanks again, Graham.



This page is a thread posted to the opentalk forum at www.opentalk.org.uk and archived here for reference. To jump to the archive index please follow this link.

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2014: Well House Manor • 48 Spa Road • Melksham, Wiltshire • United Kingdom • SN12 7NY
PH: 01144 1225 708225 • FAX: 01144 1225 899360 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho